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DETAILED ACTION 

1 . This action is responsive to communication: amendment filed on 1 March 2005. 

2. Claims 1, 2, 3, 6-23, 25-34 are currently pending in this application. Claims 1, 9, 
17, 21, and 30 are independent claims. Claims 4, 5, and 24 have been withdrawn. 

Response to Arguments 

3. Applicant's arguments filed 1 March 2005 have been fully considered. 

In response to applicant's argument on beginning on page 2, "The office action 
alleges that claims 1-3, 6-20, and 25-34 are unpatentable in view of Harrison, either 
alone or in combination with one or more of Naveh and Rothermel. This contention has 
been obviated by the attached declaration by Uhlas Warrier". The Office does not 
agree for the following reasons, the affidavit is deficient in showing conception or 
reduction in practice as well as lacking in showing diligence; also an affidavit is needed 
from all inventors of the claimed invention (missing affidavit from Prakash Iyer); in 
addition an affidavit is not proper to overcome a rejection if the reference is claiming 
essentially the same invention as the applicant. Therefore in order to correct affidavit 
submission, the applicant needs to show either proof of conception or reduction in 
practice, as well as, the applicant needs to shown diligence in filing the application of 
the invention. If the reference and the applicant are claiming the same invention an 
interference would be proper a declaration would not overcome the rejection. 
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In response to applicant's argument beginning on page 3, "Claims 21-23 stand 
rejected under 35 U.S.C. 102 (e) as allegedly being anticipated by Naveh. A new 
rejection is below in which Naveh and Harrison are used in combination for 
' claims 21-23, therefore these arguments are moot. 

Affidavit or Declaration Under CFR 1.131, Ineffective, Insufficient Evidence 

of Conception . 

4. . The Declaration filed on 1 March 2005 under 37 CFR 1 .131 has been considered 
but is ineffective to overcome the Harrison et al. U.S. Patent No. 6,539,483 (hereinafter 
'483) reference. 

5. The '483 reference is a U.S. patent or U.S. patent application publication of a 
pending or patented application that claims the rejected invention. An affidavit or 
declaration is inappropriate under 37 CFR 1.131(a) when the reference is claiming the 
same patentable invention, see MPEP § 2306. If the reference and this application are 
not commonly owned, the reference can only be overcome by establishing priority of 
invention through interference proceedings. See MPEP Chapter 2300 for information 
on initiating interference proceedings. If the reference and this application are 
commonly owned, the reference may be disqualified as prior art by an affidavit or 
declaration under 37 CFR 1 . 1 30. See MPEP § 71 8. Claim 1 of the applicant is claiming 
the same invention as claim 1 of the '483 reference. 
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"A method of managing a network session comprising: delivering security 
policies from a server to a remote system that has predetermined configuration 
information and allows running at least one application program" has the same 
meaning as claim 1, lines 25-30 "A method for generating a plurality of policies in a 
Virtual Private Network (VPN) wherein each policy includes a condition and at least one 
action and in which the VPN is defined by a sum of plurality of policy segments"; 

"establishing a secure virtual private network connection between the 
server and the system" has the same meaning as claim 1, lines 35-39 "each device 
interface profile containing device specific information that is needed to generate a 
traffic profile and an Internet Protocol Security (IPSec) data management action 
component for the policy segment"; 

"regulating activities in the system based on both of the security policies 
and a context of said at least one application program including at least a state of 
running of said at least one application program" has the same meaning as claim 1, 
lines 25-39 "wherein each policy includes a condition and at least one action and in 
which the VPN is defined by a sum of plurality of policy segments ... each policy 
segment being defined by specifying a device list, a topology connection type and policy 
template, said policy segment device list comprising a user-defined collection of other 
device lists or device interface profiles, each device interface profile containing device 
specific information that is needed to generate a traffic profile" The "traffic profile" in 
relation with the policy segment and policy components, connection type, has the same 
meaning as "context of at least one application program". 
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6. The evidence submitted is insufficient to establish a conception of the invention 
prior to the effective date of the '483 reference. While conception is the mental part of 
the inventive act, it must be capable of proof, such as by demonstrative evidence or by 
a complete disclosure to another. Conception is more than a vague idea of how to 
solve a problem. The requisite means themselves and their interaction must also be 
comprehended. See Mergenthaler v. Scudder, 1897 CD. 724, 81 O.G. 1417 (D.C. Cir. 
1897). The evidence submitted does not show proof that the invention was conceived 
prior to Jan 12, 2000. The applicant has only stated that they were working on the 
invention prior to the date 12 Jan 2000, the applicant did not provide any documentation 
for actions prior to the filing date of application 31 March 2000. 

7. The evidence submitted is insufficient to establish diligence from a date prior to 
the date of reduction to practice of the '483 reference to either a constructive reduction 
to practice or an actual reduction to practice. Diligence is lacking because no 
documents were submitted that show applicant was working on the invention. An 
example of proof would be communication between themselves and an attorney for 
drafting the application. 

8. The oath or declaration is defective. A new oath or declaration in compliance 

with 37 CFR 1.67(a) identifying this application by application number and filing date is 

required. See MPEP §§ 602.01 and 602.02. 

The oath or declaration is defective because: not all of the named inventors of 
application signed the declaration submitted 1 March 2005. 
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Claim Rejections - 35 USC § 102 

9. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

10. Claims 1, 7, 9, 10, 13 and 17 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Harrison et al. U.S. Patent No. 6,539,483 (hereinafter '483). 

As to independent claim 1, "A method of managing a network session 
comprising" is taught in '483 col. 3, lines 29-43; 

"delivering security policies from a server to a remote system that has 
predetermined configuration information and allows running at least one 
application program; establishing a secure virtual private network connection 
between the server and the system" is shown in 483 col. 5, lines 23-62; 

"regulating activities in the system based on both of the security policies 
and a context of said at least one application program including at least a state of 
running of said at least one application program" is disclosed in 483 col. 4, lines 
43-60. 

As to dependent claim 7, "further comprising updating the set of policies" 

is taught in 483 col. 5, lines 48-50. 
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As to independent claim 9, this claim is directed to a computer-readable 
medium of the method of claim 1 and is rejected along similar rationale. 

As to dependent claims 10, this claim contains substantially similar subject 
matter as claim 7; therefore it is rejected along the same rationale. 

As to dependent claim 13, "wherein the rejection criteria includes the set of 
policies" is taught in '483 col. 3, lines 29-33. 

As to independent claim 17, this claim is directed to the system of the method 
of claim 1 and is rejected along similar rationale. 

Claim Rejections - 35 USC § 103 

11. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

12. Claims 21, 22, and 23, are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Naveh et al., U.S. Patent No. 6,466,984 (hereinafter '984) in further 
view of '483. 

As to independent claim 21, "A network stack comprising: a policy engine 
a policy store adapted to interact with the policy engine and store a set of policies 
from the policy engine; a socket interceptor coupled to the policy engine; a 
packet guard coupled to the policy engine;" is taught in 984 col. 5, lines 19-67 The 
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method involves creating one or more mappings, each mapping representing an 
abstract policy ... The mappings are converted into one or more settings of the network 
device, which enforces the policy in response to receiving traffic from the application 
program that matches the traffic flow type. One feature of this embodiment is that 
creating and storing one or more mappings comprises registering one or more 
application codepoints, which are associated with traffic flow types"; 
the following is not taught in '984 

"use the packet guard to filter unauthorized activities received from the 
network interface; use the packet guard to filter the data packets from 
unauthorized users and applications based on the context information received 
by the socket interceptor; and use the packet guard to filter data packets based 
on the policies and provide the packet guard with context information about the 
unauthorized users and applications including at least information about a 
running state of the application" however '483 teaches "RSVP is a network control 
protocol that allows Internet application to obtain special qualities-of-service (QoS's) for 
their data flows ... A VPN policy must contain a condition consisting of a validity period 
and a traffic profile and at least one policy action. The validity period component 
definition may be used in multiple policies" in col. 4, lines 43-67; 

"a configurable management process adapted to reconfigure the network 
stack and having instructions to: receive policies in the policy engine from the 
policy server" however '483 teaches "The policy configuration application resident on 
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device 60 interacts with the LDAP server 100 to create update and delete VPN policies" 
in col. 5, lines 48-50; 

"use the socket interceptor to detect and reject data packets from 
unauthorized users and applications and provide the packet guard with context 
information about the unauthorized users and applications including at least 
information about a running state of the application" however '483 teaches The 
condition reference includes a validity period and a traffic profile. The action reference 
includes at least on of an IPsec action, a DiffServ action or an RSVP action" in col. 3, 
lines 55-60. 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify a policy management system taught in '984 to include a means to 
adapt policies for a Virtual Private Network. One of ordinary skill in the art would have 
been motivated to perform such a modification because a need exits use policy 
management with a VPN in order to securely transmit information see '483 (col. 1, lines 
18 et seq.). "A Virtual Private Network (VPN) provides end users a mean to securely 
transport information from an intranet across a public Internet Protocol (IP) network 
such as the Internet ... The policies provide access control to resources". 

As to dependent claim 22, "The network stack of claim 21 further 
comprising a packet translator adapted to interact with the socket interceptor and 
the packet guard" is shown in '984 col. 7, lines 16-60 An embodiment of the invention 
is used in the context of a network. FIG. 2 is a block diagram of a computer network 
200 that includes a plurality of local area networks 202, 204, 206 interconnected by a 



Application/Control Number: 09/539,928 Page 10 

Art Unit: 2134 

plurality of intermediate network devices 208, 210. A plurality of network end stations, 
such as end station 212 and print server 214, are coupled to the LANs. The network 
further includes at least one policy server 216 that may be coupled to a repository 218 
and to a network administrator station 220. A server suitable for use as policy server 
216 is any Windows NT.RTM. or UNIX workstation or similar computer platform. 
Network 200 also includes at least one host or server 222 configured in accordance with 
the present invention. 

As to dependent claim 23, "The network stack of claim 21 further 
comprising an interface to a network adapted to connect the network stack to the 
network, wherein the network has a policy server" is disclosed in 984 col. 7, lines 
16-60. 

13. Claims 2, 3, 6, 11, 12, 14, 15, 18, 19, 25, 26, 28, 29, 30, 31, and 32, are rejected 
under 35 U.S.C. 103(a) as being unpatentable over '483 as applied to above claims, in 
further view of Naveh et al., U.S. Patent No. 6,466,984 (hereinafter '984). 

As to dependent claims 2, the following is not taught in '483 "wherein said 
regulating the activities comprises providing filters that are adapted to reject 
unauthorized data packets based on rejection criteria that are conditioned on said 
running state" however f 984 teaches "For each flow generated by the application, this 
information is then used to map the application parameters attached to the flow into a 
concrete QoS decision and a signaling mechanism. For example, the process is 
notified by the application about the start of each flow with its parameters and this 
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information is converted into QoS information usable by a network device. The simplest 
case is mapping one ACP into a DSCP value, as shown by block 710, and then setting 
a QoS value may be set by marking the flow packets using an appropriate operating 
system call to an existing QoSservice"" in col. 1 1 , lies 44-56. 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify a method of managing a network session taught in '483 to include a 
means filter the packets of an application. One of ordinary skill in the art would have 
been motivated to perform such a modification because a need exits to integrate 
applications into a policy see '984 (col. 5, lines 12 et seq.). "Thus, there is a need for a 
mechanism that integrates application into a policy-based networking system, and 
enables applications to participate in deciding how to apply a particular QoS to a traffic 
flow generated by the application". 

As to dependent claim 3, "wherein the rejection criteria include the 
predetermined configuration information" is shown in 984 col. 11, lines 3-17 "In 
block 704, policies are established based on the ACPs that are registered in association 
with the application". 

As to dependent claims 6, "wherein regulating the activities comprises: 
providing a session layer adapted to reject unauthorized data packets based on 
context information; and providing filters adapted to reject unauthorized data 
packets based on rejection criteria from at least one of the context information 
and the policies" is disclosed in '984 col. 1 1 , lines 45-64. 
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As to dependent claims 11, 12, 14, and 15, these claims contain substantially 
similar subject matter as claims 2, 3, and 6 above; therefore they are rejected along the 
same rationale. 

As to dependent claim 18, "further comprising a network stack" is taught in 
'984 col. 7, lines 48-60. 

As to dependent claim 19, "wherein the network stack comprises: a policy 
engine connected to the first device; a policy store connected to the policy 
engine; a socket interceptor connected to the policy engine; and a packet guard 
connected to the policy engine" is shown in '984 col. 5, lines 19-67 "The method 
involves creating one or more mappings, each mapping representing an abstract policy 
... The mappings are converted into one or more settings of the network device, which 
enforces the policy in response to receiving traffic from the application program that 
matches the traffic flow type. One feature of this embodiment is that creating and 
storing one or more mappings comprises registering one or more application 
codepoints, which are associated with traffic flow types". 

As to dependent claim 25, "wherein said remote system includes a network 
stack, and wherein said regulating activities comprises reconfiguring the 
network stack to control filtering of network packets, based on said policies and 
said running state" is disclosed in '984 col. 7, lines 16-60. 

As to dependent claim 26, "wherein said policies include information about 
authorized kinds of information when certain applications are running, and said 
regulating activities comprises determining if a specified application is running, 
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allowing a specified kind of network packet to pass only when said specified 
application is running, and blocking said specified kind of network packet from 
passing when said specified application is not running" is taught in 984 col. 15, 
lines 15-58 "FIG. 5 is a block diagram of a portion of a Repository that contains a 
Directory Schema 500. The Directory Schema 500 may represent the topology of a 
managed network or other directory information useful in network management .... 
Examples of servies include delay, guaranteed bandwidth a queuing type on a router 
interface, etcl. The services in the list also define signaling mechanisms that may be 
used for accessing the service". 

As to dependent claims 28 and 29, these claims are substantially similar to 
claim 26 above and are rejected along the same rationale. 

As to independent claim 30, "A method, comprising: establishing a virtual 
private network (VPN) session between a primary computing system and a 
remote computing system includes a security policy engine, and wherein the 
primary computing system includes a security policy engine" is taught in 483 col. 
3, lines 29-60 "The forgoing objective is achieved by the system method and program 
product of the present invention in which a Virtual Private Network (VPN) is defined by 
the sum of a plurality of policy segments"; 

"and wherein the remote computing system includes a network stack" is 
shown in '984 col. 7, lines 48-60 "Communication facility 228 preferably includes one or 
more software libraries for implements a communication protocol stack" 
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"transmitting information indicative of security parameters from the 
primary computing system to the remote computing system using the security 
policy engine" is disclosed in 483 col. 5, lines 23-55 "In the preferred embodiment, a 
policy database is loaded or copied to a network device. FIG. 3 illustrates how a set of 
policies for a specific device are logically stored. It may have been downloaded from a 
server, provided by a device configuration application or entered from the network 
device's command line interface". 

"configuring the network stack based on the information indicative of 
security parameters" is taught in '984 col. 9, lines 18-55 "A Schema stored in the 
Repository provides an integration point and a common information model for 
communication between Application 608 and Policy Server"; 

"subsequently running a particular application program on the remote computing 
system; selecting information indicative of updated security parameters based on a running 
state of the particular application program and dynamically reconfiguring the network 
stack based on the information indicative of the updated security parameters" is shown in 
'984 col, 15, lines 15-55 u As shown in RIG. 5, Root node 502 is coupled to a plurality of 
Application nodes 504A, 504B, 504C. There may be any number of Application nodes. Each 
Application node represent a particular application program that is used in the managed network 
. . . Each Policy Statement terminates in an Action. For example, Condition nodes 506A, 506B 
terminate at Action node 510. Each Action node represents an action to apply to network 
devices when an associated application generates a traffic flow such that the Policy Statement 
evaluates to TRUE". 
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As to dependent claim 31, "wherein the primary computing system is a 
corporate local area network (LAN)" is disclosed in '984 col. 7, lines 18-31 "An 
embodiment of the invention is used in the context of a network. FIG. 2 is a block 
diagram of a computer network 200 that includes a plurality of local area networks 202, 
204, 206 interconnected by a plurality of intermediate network devices 208, 210. A 
plurality of network end stations, such as end station 212 and print server 214, are 
coupled to the LANs. The network further includes at least one policy server 216 that 
may be coupled to a repository 218 and to a network administrator station 220. A 
server suitable for use as policy server 216 is any Windows NT.RTM. or UNIX 
workstation or similar computer platform. Network 200 also includes at least one host 
or server 222 configured in accordance with the present invention" 

As to dependent claim 32 "wherein the remote primary computing system 
is a remote home network" is taught in '984 col. 16 line 63 through col. 17, line 10 
"Various forms of computer readable media may be involved in carrying one or more 
sequences of one or more instructions to processor 804 for execution. For example, 
the instructions may initially be carried on a magnetic disk of a remote computer. The 
remote computer can load the instructions into its dynamic memory and send the 
instructions over a telephone line using a modem. A modem local to computer system 
800 can receive the data on the telephone line and use an infra-red transmitter to 
convert the data to an infra-red signal. An infra-red detector can receive the data 
carried in the infra-red signal and appropriate circuitry can place the data on bus 802. 
Bus 802 carries the data to main memory 806, from which processor 804 retrieves and 
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executes the instructions. The instructions received by main memory 806 may 
optionally be stored on storage device 810 either before or after execution by 
processor 804". 

14. Claims 8, 16, and 20, are rejected under 35 U.S.C. 103(a) as being 
unpatentable over '483 as applied to above claims, in further view of Rothermel et al. 
U.S. Patent No. 6,678,827 (hereinafter '827). 

As to dependent claim 8, the following is not taught in '483 "further 
comprising: detecting data packets from the regulated activities; and rejecting 
the data packets from the regulated activities" however '827 teaches "The routine 
begin a t step 705 where the NSD executes an initial boot program that loads the 
software to be executed by the NSD. After the software is loaded, the routine continues 
to step 710 to load various NSD-specific network packet filer rules that will be used to 
implement the specific security policy for the NSD ... the subroutine continues to step 
820 to determine a default action to be taken for the packets. A variety of types of 
default actions can be used, including denying passage of all packets that are not 
explicitly approved" in col. 14, line 60 through col. 15, line 52. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify a method of managing a network session taught in '483 to include a means reject 
packets from regulated activities. One of ordinary skill in the art would have been motivated to 
perform such a modification because the progresses in technology create a need exits to mange 
confidential information see '827 (col. 1, lines 13 et seq.). "As computer systems and other 



Application/Control Number: 09/539,928 Page 17 

Art Unit: 2134 

network devices (e.g., printers, modems, and scanners) have become increasingly interconnected, 
it is increasingly important to protect sensitive information". 

As to dependent claim 16, this claim contains substantially similar subject 
matter as claim 8; therefore it is rejected along similar rationale. 

As to dependent claim 20, "the first device further comprising instruction 
to monitor the system for the intervening process" is taught in 827 col. 15, 
lines 3-7. 

15. Claims 27, 33 and 34, are rejected under 35 U.S.C. 103(a) as being 
unpatentable over '483 as applied to above claims, in further view of '984 in further view 
of '827. 

As to dependent claim 27, the following is not taught in the combination of '483 
and 984 "wherein said specified application is a word processing program, and 
said kind of network packet is word processing data" however '827 teaches "In 
addition, events of interest which trigger the logging of network security information or 
the notification of some entity can be defined and identified in a variety of ways, such 
as any packets to or from a particular device or a device in a particular class of 
devices, any packets for which a specific action are taken (e.g., deny passage), any 
packets containing contents of interest (e.g., particular words or an attached file of a 
particular type), any packets corresponding to a particular type of network service (e.g., 
HTTP requests), etc. Finally, a variety of means for providing security to information 
being transmitted over a non-secure network can be utilized, including symmetric keys, 
asymmetric keys, passwords, etc.)" in col. 17, lines 10-22. 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify a method of managing a network session and with a means to filter 
packets taught in '483 and '984 to include a means reject packets from regulated 
activities. One of ordinary skill in the art would have been motivated to perform such a 
modification because the progresses in technology create a need exits to mange 
confidential information see '827 (col. 1, lines 13 et seq.). "As computer systems and 
other network devices (e.g., printers, modems, and scanners) have become 
increasingly interconnected, it is increasingly important to protect sensitive 
information". 

As to dependent claim 33, "wherein the particular application program is a 
word processing program and wherein when the running state of the work 
processing program indicates that the word processing program is not running, 
the information indicative of security parameters causes the remote computing 
system to block word processing packets received at the remote computing 
system" is shown in '827 col. 17, lines 10-22. 

As to dependent claim 34, "wherein the particular application program is a 
word processing program, and wherein when the running state of the word 
processing program indicates that the word processing program is running, the 
information indicative of updated security parameters causes the remote 
computing system to not block word processing packets received at the remote 
computing system" is disclosed in '827 col. 17, lines 10-22 
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Conclusion 



16. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ellen C Tran whose telephone number is (703) 305- 
8917. The examiner can normally be reached on 6:30 am to 3:30 pm Monday - 
Thursday and alternating Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory A Morse can be reached on (703) 308-4789. The fax phone 
number for the organization where this application or proceeding is assigned is (703) 
872-9306. 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is (703) 305- 
3900. 




Ellen. Tran 
Patent Examiner 
Technology Center 2134 
2 June 2005 
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